Erblind Morina
Principal Incident Response Consultant at IBM X-Force
Erblind Morina is a DFIR-focused incident responder who spends most of his time inside complex investigations, reconstructing attacker activity and helping organizations recover from high-impact incidents. He is a Principal Incident Response Consultant at IBM X-Force, where he leads the cloud incident response service and acts as incident commander on major incidents. He also contributes to threat intelligence and the Security Intelligence podcast. His technical focus areas include incident response, digital forensics, threat intelligence, cloud security, and AI security.
Prior to IBM, he spent eight years across security operations, incident response, threat intelligence, and security leadership, including roles across the financial industry and government projects in EMEA, where he led detection and threat intelligence initiatives.”
He co-founded Sense Cyber Research Center, a non-profit organization raising the cybersecurity baseline across the Western Balkans, and has spent over seven years building the regional security community through DEF CON Group Pristina, BSides Pristina, and Balkan Secure. He speaks at RSA Conference and BSides events across EMEA and holds GIAC GCFR, GCFA, and GCTI certifications.
talks & Q&A
Closing the Cloud Incident Response Gap
Description:
In this talk, I present real-world cloud incident response through the lens of IBM X-Force Incident Response investigations, highlighting how threat actors compromise modern cloud environments. The session begins with war stories illustrating attacks across common cloud environments, spanning infrastructure and workloads, as well as complex hybrid cloud scenarios where threat actors pivot between on-premises systems and cloud, exploit trust boundaries, and maintain persistence. These cases provide insight into adversary TTPs and attack vectors.
The main part of the session covers the core challenges facing cloud IR teams. These include missing or incomplete audit logs, short retention periods, gaps in detection coverage, limited telemetry and visibility into cloud and container control planes, and inconsistencies across providers and platforms. Real-world examples demonstrate how these gaps allow attackers to operate undetected, slow investigations, and complicate evidence collection. The talk emphasises the importance of preparing environments through enabling logging, exporting telemetry, activating security detections, and integrating threat intelligence feeds, as well as establishing standardised IR workflows. This section provides actionable guidance for identifying blind spots, improving situational awareness, and strengthening posture across cloud, multi-cloud and hybrid environments.
To help close the cloud IR gap, I introduce a tool I built called AWSACS, which evaluates AWS environments for visibility and logging coverage and reports gaps that may hinder forensic evidence collection or IR investigations. AWSACS identifies which critical logs and security services, such as GuardDuty, CloudTrail, and Config, are enabled or missing, helping teams understand visibility gaps across their AWS environment.
The session concludes with a live demonstration of AWSACS in AWS. The war stories presented cover AWS, Azure, and GCP, including DevOps components such as Kubernetes, highlighting real-world cloud compromises and challenges. The demo shows how the tool can be used to assess visibility, detect missing logs, enable security controls, and help teams close the cloud IR gap by identifying gaps and improving readiness in real environments.
